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System For Encrypting Data Files Of Application Programs 

Field Of The Invention 

The invention relates to a system for encrypting and dynamically 
decrypting data files of application programs. More particularly, the invention 
5 relates to a system for encrypting and/or decrypting an application's data files 
without user intervention and without modifying the application program. 

Background Of The Invention 

Computers have fast become a common tool used by companies and 
industries to conduct business activities. Further, computers have affected 

10 almost every aspect of how businesses are run and are used not only by high- 
level decision makers, but also by secretaries and shipping clerks. 
Management may use computers to store important client contacts while 
secretaries may use computers to store documents and spreadsheets. In 
addition, human resources may use computers to store employee records and 

15 payroll. As one can see, computers can affect a large part of how businesses 
function. As computer use has expanded, so has the need to store computer 
files generated by company personnel. Hence, network drives were 
developed to help workers store vast amounts of data files and by networking 
a company's computers together, workers can generally access the files from 

20 different computers throughout the company and even from remote locations. 

Because many departments within a company store their data files, 
some of them confidential, on the same network as other departments, one 
who has access to the network may also have access to all the data files 
stored on it. Hence, a shipping clerk may have access to confidential 
25 employee records if both are stored on the network drive and this would be 
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undesirable. Therefore, it is desired to restrict access to certain files only to 
authorized users. One way to do this is to load the software applications that 
are typically used to access the files only on authorized users' computers. 
For example, load the text processing software application Word® only on 
5 secretaries' computers. Without Word® loaded on a shipping clerk's 

computer, he should not be able to read a Word® file. However, one can still 
access the Word® files, without using the Word® software application, 
through the use of other applications, such as the application WordPerfect® 
or simply by loading Word® onto his or her computer. 

10 Also known in the art of computer software applications are various 

methods for restricting access to certain users by requiring authorized users 
to enter a password in order to log on, or enter, a computer system. Likewise, 
certain applications can also be restricted by password as well. By requiring a 
password, not only is the application restricted, but, theoretically, so are the 

15 data files created by the application that can be retrieved once the user has 
successfully logged into the application. 

Controlling access rights to certain files, directories, and drives on the 
network, however, can be unwieldy to manage and may be secure but 
prevents access by some who might do work. Usually, access rights are set 
20 up by password but are often notoriously insecure with users selecting their 
phone numbers, pets 1 names, or children's names as passwords. Further, 
some users may also tape their passwords to the monitors or desks, or keep 
the passwords in their desk drawers. 

Network security problems are exacerbated by the rise of the Internet 
25 since virtually everyone on the Internet theoretically may have access to every 
file stored on every computer with Internet access. The Internet has also 
given rise to heightened privacy concerns throughout the computer industry. 
Governments throughout the world, particularly the United States and Europe, 
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have or are considering various pieces of legislation to protect consumer 
privacy. 

In order to restrict access rights or put security measures in place, 
developers may need to modify their software applications. This may be 
5 complicated and difficult when the applications have been substantially 

completed because the developers may need to rewrite vast portions of the 
applications' source codes in order to incorporate the added security 
measures. Furthermore, developers may need to hire new programmers with 
special skills in areas such as encryption. End users, such as companies, 
10 may also need to retrain employees who are affected by the changes in the 
application source codes for these changes may affect the way the 
applications are used. 

Once security measures and/or access rights are installed, only 
authorized users should theoretically be able to access the files in prior 

1 5 systems. However, unauthorized users may still be able to access protected 
data files if such files are decrypted using traditional methods. One such 
method would be for an encrypted file to be copied to a temporary directory, 
whereby the user can then edit the temporary file. Once the user saves 
changes to the file, the file is then reencrypted. However, the temporary file is 

20 left unencrypted and accessible to unauthorized users during the entire period 
it is being used. 

With other known encryption methods, users have had to repeatedly 
designate each file to be encrypted and/or decrypted. This included newly 
created files and old files that were edited. With this kind of involvement, 
25 users may neglect or forget to reencrypt a file that was recently decrypted for 
editing purposes. In addition, while designating multiple files to be encrypted, 
users may inadvertently encrypt a file that is meant to be unencrypted. As 
one can see, human error and time pressures may frustrate a company's 
desire for protecting files. 



-5- 



Further, many software developers may desire to add data security 
and/or encryption to their existing software applications in the form of an add 
on feature that allows security to be added without modifying the existing 
applications. This add on feature enables developers to simply and easily 
5 enhance their products without modifying an application's source code. This 
add on security feature may also appeal to end users, such as companies, 
who want to add security measures to their existing applications without 
having to retrain employees or hire computer programmers to modify the 
applications. 

10 In addition to securing data files, end users may also want to back 

them up, or copy them, in the event the original files are accidentally lost or 
destroyed. However, not all back up systems can provide copies of the 
destroyed data files. For example, in the unfortunate event that the building is 
destroyed by fire, it is likely that any backed up copies stored in the building 

15 will be destroyed along with the original files. It may also be beneficial to 
provide a way of backing up files as an add on feature that can be added to 
existing applications without the need to modify them. 

Further, other add on features may be provided such as a way of 
tracking and auditing modifications to files. This add on feature would be able 
20 to identify who made the modifications, when they occurred, and what kinds of 
modifications were made. 



What is desired, therefore, is to create a system for encrypting data 
files of application programs without placing unencrypted copies of the files on 
a storage device, without modifying the application program itself, and without 
25 requiring user intervention. It is also desired to create a system for adding 
features to application programs, such as encrypting/decrypting and/or 
backing up an application's data files, preferably to a remote location. It is 
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further desired to create a system capable of tracing and auditing file 
modifications. 

Summary Of The Invention 

Accordingly, it is the object of this invention to provide a system for 
5 decrypting data files of application programs without placing an unencrypted 
copy of the file on a storage device. 

Another object is to provide a system for encrypting and/or decrypting 
an application's data files without user intervention. 

A further object is to provide a system for encrypting and/or decrypting 
10 an application's data files without modifying the application program. 

Still another object of the invention is to provide a system which 
decrypts application data files in memory only. 

Yet a further object is to provide a program that allows developers 
and/or end users, such as companies, to add features to existing applications 
15 without the need to modify the application or retrain users. 

These and other objects of the invention are achieved by a system for 
encrypting data files comprising a computer, storage device connected to the 
computer, an application loaded on the computer for storing and retrieving 
data files on the storage device, and a program that intercepts the data files to 
20 be stored by the application on the storage device and encrypts them before 
they are stored. The system executes on the computer as an addition to 
existing applications and does not require modifications to the applications. 
Further, the system executes automatically without user intervention. As an 
added feature, the system allows for data files to be backed up to another 
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storage device, which may be in a remote location and/or a location that 
allows users at multiple locales to have access to them. 

The system generates a security file that specifies the application 
programs, data files to be encrypted, and encrypt key needed to decrypt the 
5 data files. As an added security measure, the security file is further encrypted 
with a passkey not known by anyone. When decrypting data files, the system 
does so directly in the workstation's memory, thereby eliminating unencrypted 
copies of data files from being created. 

Brief Description Of The Drawings 

FIG. 1 is a schematic block diagram of the system for encrypting data 
files of application programs in accordance with the invention. 

FIG. 2 is a schematic block diagram illustrating the encryption of data 
files and the creation of a security file to set up the system of FIG. 1 for use. 

FIG. 3 is a schematic block diagram illustrating use of the system of 
FIG. 1 to retrieve encrypted and non-encrypted data files upon user request 
through the applications. 

FIG. 4 is a schematic block diagram illustrating encryption of the 
application security file with a randomized passkey. 

FIG. 5 is a schematic block diagram of another embodiment of the 
20 invention of FIG. 1 in which files of application programs are intercepted for 
other/additional purposes prior to storage. 
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Detailed Description Of The Drawings 

FIG. 1 depicts a system 8 and method for encrypting data files 22 
comprising a computer 12, a storage device, an application, and a program. 

The storage device includes any medium where files can be stored 
5 including a computer's hard drive, another internal drive, an external drive, a 
floppy drive, or a backup drive such as a zip or jazz drive. Further, suitable 
dives are not limited to magnetic drives but may also optical drives, tape 
drives, volatile or non-volatile drives. Most types of storage devices will 
suffice for the purposes of the invention because they generally serve the 
10 same underlying purpose, to provide a medium to store data files 22. 

The system 8 encrypts and decrypts data files 22, which include entire 
files or portions of files. Meaning the invention is capable of reading entire 
files and portions of files, or records, and then encrypting, decrypting, and 
reencrypting the desired parts. 

15 The application should be one that is capable of storing and retrieving 

data files 22 stored on said storage device. This includes a broad range of 
applications for most, if not all, applications are capable of storing and 
retrieving files including, but not limited to, Word®, Excel®, ACCESS®, and 
CADKEY®. In addition to the above, which are generic and commonly sold in 

20 stores, the application may also be one that is customized to a customer's 
specific requirements and is generally written by a computer programmer 
hired by the customer. For example, companies routinely hire independent 
contractors or outside consulting firms to write applications useful only to the 
company's particular line of products. Whether the application is a stock 

25 item or customized program, the end user or customer, would probably not be 
familiar with nor interested in writing or modifying a computer source code to 
accomplish their changing needs but will likely buy another application or hire 
another computer programmer. 
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Further, vast differences among the various applications will not affect 
the use of system 8 because it is written to be added to existing applications 
and not integrated with the applications' source codes. In effect, an 
application's computer language is not relevant to the invention's operation. 
5 Therefore, the way the application is used by the end user has not changed 
because the invention does not modify the application. This benefits the end 
user for companies do not need to retrain employees or hire outside 
consultants to reprogram the application and this increases the viability of 
system 8. 

10 System 8 encrypts data files 22 by intercepting them before they are 

stored on the storage device by the application. System 8 knows which files 
to intercept and encrypt because, prior to encryption, system administrator 60 
specifies 66 application identifier 26, which specifies to computer 12 which 
application to launch 62, data files 22 to be intercepted for encrypting and 

15 decrypting, and encrypt key 28, needed for encrypting and decrypting data 
files 22, to system 8. Thereafter, system 8 generates 25 security file 24 to 
contain these specifications, which will be accessed each time data files 22 
are to be encrypted or decrypted. System 8 will be able to determine which 
files are to be encrypted before they are saved and which files require encrypt 

20 key 28 in order to be decrypted. FIG. 2 more particularly depicts the 
encryption of data files 22 and creation of security file 24. 

Because security file 24 contains encrypt key 28, which is the 
password for encrypting and decrypting data files 22, security file 24 may be 
the target of computer hackers looking to gain unauthorized access to the 

25 protected files. Therefore, security file 24 may also desirably be encrypted. 
Security file 24, as illustrated by FIG. 2, is encrypted by passkey 30. Passkey 
30 comprises a combination of the security file's size, time of creation, date of 
creation, and finite list of possible passkeys. Passkey 30 may further use one 
or more components in unspecified amounts. It is this unpredictability in 

30 determining the components of passkey 30 that makes it desirable to encrypt 
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security file 24. FIG. 4 more particularly depicts encryption of security file 24 
with passkey 30. 

Upon user request 68 to open an application and retrieve files, system 
8 will launch application 62 and determine 70 whether the files requested are 
5 encrypted or not. If the requested files are encrypted, system 8 automatically 
decrypts security file 24 with passkey 30 and subsequently reads and uses 
encrypt key 28 to decrypt data files 29. If the requested files are not 
encrypted, system 8 launches application 62 and retrieves data files 22 
without using encrypt key 28. FIG. 3 more particularly depicts the use of the 
10 system for encrypting data files. 

It should be noted that system 8 operates automatically without user 
intervention. No user input is needed for system 8 to function properly and 
this includes encrypting and decrypting files. In addition, system 8 runs 
hidden from the user and is not visible on the computer screen. Hence, when 
15 a user saves a file, system 8 automatically begins and determines whether 
the file is to be encrypted and, if so, system 8 encrypts said file. Likewise, 
upon a request to retrieve a file, system 8 automatically decrypts the file and 
sends it to the user. The user cannot tell, visually or otherwise, that the 
invention is even there, let alone operating. 

20 In addition, system 8 retrieves and decrypts data files 23 in memory. 

Meaning the requested files are decrypted in the local computer's memory 
and sent to the user 64. At no time is the file decrypted on a disk or a 
temporary directory where an unencrypted copy of the file would be created. 

FIG. 2 depicts the encryption of data files 22 and the creation of the 
25 security file 24 to set up the system of FIG. 1 for use. 

System 8 would need a system administrator to specify 66 certain 
criteria in order for it to know which files or kinds of files to encrypt. At a 
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minimum, the system administrator would specify application identifier 26 and 
encrypt key 28. Encrypt key 28 is arbitrarily determined by the system 
administrator. To have the program automatically encrypt files, the system 
administrator would need to specify the data files to be encrypted. The data 
5 files may be selectively chosen to include some or all files associated with the 
application. Further, once the kinds of files have been specified, system 8 
would thereafter encrypt all future files of that kind. This means, for example, 
the system administrator would not need to specify a newly created Word® 
document to the program every time a new document is created, which may 
10 occur daily. This facilitates the use of the invention for, otherwise, the system 
administrator would be constantly specifying new files to the program. 

After the criteria have been specified, system 8 generates security file 
24 to contain all the specified criteria and security file 24 is accessed each 
time a file is encrypted or decrypted because system 8 encrypts and decrypts 

15 dynamically. This dynamic encryption and decryption allows system 8 to 

operate without creating copies of files in a temporary directory, whereby such 
copies would be unencrypted. System 8 would decrypt files in the 
workstation's memory. After a user edits and saves the file, system 8 would 
reencrypt it with encrypt key 28 by intercepting the file before it is sent the 

20 storage device. In addition, system 8 can intercept the files for 
other/additional purposes prior to storage. 

Because security file 24 contains encrypt key 28, which is necessary 
for the invention to work properly, security file 24 may be the target of 
computer hackers looking for the encrypt key to unlock the protected files. 
25 Therefore, system 8 further encrypts the security file 24 with passkey 30. 

Passkey 30 comprises one or more components. Please refer to FIG. 4 for a 
more detailed description of the encryption of the passkey 30. 

FIG. 3 depicts the use of the system of FIG. 1 to retrieve encrypted and 
non-encrypted data files 22 upon user request. 
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Upon user request 68 to open an application 16 and retrieve an 
encrypted data file 29, the program automatically retrieves 72 the security file 
and passkey 30 to decrypt 74 the security file. System 8 is the only entity that 
knows passkey 30. Not even the system administrator knows it. Once 
5 security file 24 is decrypted, system 8 then reads encrypt key 28 and 
application identifier 26. System 8 then uses application identifier 26 to 
launch 62, or open, the application. Next, system 8 decrypts 76 the requested 
data file 23 in the computer's memory and not on a disk, or temporary 
directory, and opens the file through the application. The decrypted file is now 

1 0 before the user for his or her use- 
It should be noted that the system encrypts and decrypts automatically 
without user intervention. Further, the system operates in a manner that 
cannot be detected visually or otherwise by the user. For example, if the user 
normally begins an application by double clicking an icon, the application's 

15 path would be redirected to go through the system before being opened for 
the user. However, the redirected path in which the application is opened is 
transparent to the user for the application he requested has been opened in 
the same manner. 

FIG. 4 depicts the encryption of a security file with a passkey. The 
20 purpose of passkey 30 is to encrypt security file 24, which would provide a 
secondary security measure to data files 22 that are already encrypted with 
encrypt key 28. 

To further provide protection to security file 24, passkey 30 is 
comprised of one or more components. Further, passkey 30 may use a 
25 varying amount of each component. As one can see, the unpredictability as 
to what components are used to form the passkey can be characterized as 
random. Hence, passkey 30 is a randomized passkey. 
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The components that are possibly used by program 20 to form passkey 
30 are as follows: date 40 the security file was created, time 42 the security 
file was created, file size 44 of the security file, and list 46 of possible 
passkeys. 

5 FIG. 5 is a schematic block diagram of another embodiment of the 

invention of FIG. 1 in which files of application programs are intercepted for 
other/additional purposes prior to storage. Besides encryption and 
decryption, the invention can further add other features to existing 
applications, such as a system 51 for replicating or backing up data files to 

10 second storage device 52 which may be located at a remote location. A 
remote location is any location apart from first storage device 54. Second 
storage device 52 may be adjacent from first storage device 54 or they may 
be further apart, such as in different rooms, in different buildings, or in 
different countries. Second storage device 52 would not replace first storage 

15 device 54, but would operate in addition to the latter. Replicating, backing up, 
or copying files are generally useful when the original files are accidentally 
erased or lost and/or when users at multiple locations need access to the data 
files. 

However, not all end users keep the backed up copies in a location that 
20 is safe and this defeats the purpose for making the backed up copies. For 
instance, an end user may keep the copies on floppy disks in the same 
computer room as the original files. Because back up copies are generally 
made often, end users find it more convenient to keep the backed up copies 
within easy reach in order to overwrite the older versions. But by keeping the 
25 copies in the same area as the original files, all files would be lost if there was 
a fire or temperature problem in the room where moisture corrupted all the 
computer disks and files. 

Therefore, system 51 provides a program 20 to back data files up to a 
second storage device which may be in a remote location outside the office. 
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For example, system 51 could back files up to any type of storage device or 
the Internet. Further, the backed up copies can also be secured by encrypting 
and decrypting them the same way system 8 of FIG. 1 encrypts and decrypts 
data files 22. This includes a system for intercepting the copied files for 
5 encryption and other/additional purposes prior to storage on second storage 
device 52. This provides the end users with secure, backed up copies that 
are easily accessed, yet are in a location that may be outside the office. 

In addition to back up purposes, system 51 can provide a program 20 
to track and audit modifications made to files. Tracking and auditing changes 
10 allow system 51 to be able to identify who made the modifications and when 
they occurred. System 51 would also be able to determine what kinds of 
modifications were made. 



Further, program 20 can write updated and encrypted data files to a 
database, which may or may not be remote, whereby multiple offices having 
1 5 access to said database will now have the most recent versions of data files. 

Although the invention has been described with reference to a 
particular arrangement of parts, features, and the like, these are not intended 
to be exhaust all possible arrangements of features, and indeed many other 
modifications and variations will be ascertainable to those of skill in the art. 



